Survivability modeling for cyber-physical systems subject to data corruption

Cyber-physical critical infrastructures are created when traditional physical infrastructure is supplemented with advanced monitoring, control, computing, and communication capability. More intelligent decision support and improved efficacy, dependability, and security are expected. Quantitative models and evaluation methods are required for determining the extent to which a cyber-physical infrastructure improves on its physical predecessors. It is essential that these models reflect both cyber and physical aspects of operation and failure. In this dissertation, we propose quantitative models for dependability attributes, in particular, survivability, of cyber-physical systems. Any malfunction or security breach, whether cyber or physical, that causes the system operation to depart from specifications will affect these dependability attributes. Our focus is on data corruption, which compromises decision support -- the fundamental role played by cyber infrastructure. The first research contribution of this work is a Petri net model for information exchange in cyber-physical systems, which facilitates i) evaluation of the extent of data corruption at a given time, and ii) illuminates the service degradation caused by propagation of corrupt data through the cyber infrastructure. In the second research contribution, we propose metrics and an evaluation method for survivability, which captures the extent of functionality retained by a system after a disruptive event. We illustrate the application of our methods through case studies on smart grids, intelligent water distribution networks, and intelligent transportation systems. Data, cyber infrastructure, and intelligent control are part and parcel of nearly every critical infrastructure that underpins daily life in developed countries. Our work provides means for quantifying and predicting the service degradation caused when cyber infrastructure fails to serve its intended purpose. It can also serve as the foundation for efforts to fortify critical systems and mitigate inevitable failures --Abstract, page iii

Evaluating Resilience of Cyber-Physical-Social Systems

Nowadays, protecting the network is not the only security concern. Still, in cyber security, websites and servers are becoming more popular as targets due to the ease with which they can be accessed when compared to communication networks. Another threat in cyber physical social systems with human interactions is that they can be attacked and manipulated not only by technical hacking through networks, but also by manipulating people and stealing users’ credentials. Therefore, systems should be evaluated beyond cy- ber security, which means measuring their resilience as a piece of evidence that a system works properly under cyber-attacks or incidents. In that way, cyber resilience is increas- ingly discussed and described as the capacity of a system to maintain state awareness for detecting cyber-attacks. All the tasks for making a system resilient should proactively maintain a safe level of operational normalcy through rapid system reconfiguration to detect attacks that would impact system performance. In this work, we broadly studied a new paradigm of cyber physical social systems and defined a uniform definition of it. To overcome the complexity of evaluating cyber resilience, especially in these inhomo- geneous systems, we proposed a framework including applying Attack Tree refinements and Hierarchical Timed Coloured Petri Nets to model intruder and defender behaviors and evaluate the impact of each action on the behavior and performance of the system.Hoje em dia, proteger a rede não é a única preocupação de segurança. Ainda assim, na segurança cibernética, sites e servidores estão se tornando mais populares como alvos devido à facilidade com que podem ser acessados quando comparados às redes de comu- nicação. Outra ameaça em sistemas sociais ciberfisicos com interações humanas é que eles podem ser atacados e manipulados não apenas por hackers técnicos através de redes, mas também pela manipulação de pessoas e roubo de credenciais de utilizadores. Portanto, os sistemas devem ser avaliados para além da segurança cibernética, o que significa medir sua resiliência como uma evidência de que um sistema funciona adequadamente sob ataques ou incidentes cibernéticos. Dessa forma, a resiliência cibernética é cada vez mais discutida e descrita como a capacidade de um sistema manter a consciência do estado para detectar ataques cibernéticos. Todas as tarefas para tornar um sistema resiliente devem manter proativamente um nível seguro de normalidade operacional por meio da reconfi- guração rápida do sistema para detectar ataques que afetariam o desempenho do sistema. Neste trabalho, um novo paradigma de sistemas sociais ciberfisicos é amplamente estu- dado e uma definição uniforme é proposta. Para superar a complexidade de avaliar a resiliência cibernética, especialmente nesses sistemas não homogéneos, é proposta uma estrutura que inclui a aplicação de refinamentos de Árvores de Ataque e Redes de Petri Coloridas Temporizadas Hierárquicas para modelar comportamentos de invasores e de- fensores e avaliar o impacto de cada ação no comportamento e desempenho do sistema

A Smart Game for Data Transmission and Energy Consumption in the Internet of Things

The current trend in developing smart technology for the Internet of Things (IoT) has motivated a lot of research interest in optimizing data transmission or minimizing energy consumption, but with little evidence of proposals for achieving both objectives in a single model. Using the concept of game theory, we develop a new MAC protocol for IEEE 802.15.4 and IoT networks in which we formulate a novel expression for the players' utility function and establish a stable Nash equilibrium (NE) for the game. The proposed IEEE 802.15.4 MAC protocol is modeled as a smart game in which analytical expressions are derived for channel access probability, data transmission probability, and energy used. These analytical expressions are used in formulating an optimization problem (OP) that maximizes data transmission and minimizes energy consumption by nodes. The analysis and simulation results suggest that the proposed scheme is scalable and achieves better performance in terms of data transmission, energy-efficiency, and longevity, when compared with the default IEEE 802.15.4 access mechanism.Peer reviewe

Modeling of AODV routing protocol using timed petri nets

The growth of interest and research on wireless networks is exponentially in recent years. In a Mobile Ad hoc NETwork (MANET), wireless transmission takes place where one mobile node can send messages directly to other mobile node. One of the reactive protocol (the protocol which creates route in an on-demand basis) defined for MANETs is AODV (Ad hoc On-demand Distance Vector) routing protocol. The node movement in the dynamic environment causes frequent topology changes in the network. Thus it is very much necessary for every node in the network to keep track of change so that an efficient packet transmission can be done. In this thesis, the delay associated with a packet is calculated in MATLAB as well as in CPN tools and a comparison is made between them. Implementation in CPN tools requires time values to be incorporated amongst the states (i.e. places and transitions) which indicates the delay taken by a router or delay associated over a link or it may be delay due to queuing of packet. This value can be extracted for a particular route and delay value associated with it can be obtained. We have assumed that all the nodes have sufficient energy while participating in the routing process

Performance and Security Trade-offs in High-Speed Networks. An investigation into the performance and security modelling and evaluation of high-speed networks based on the quantitative analysis and experimentation of queueing networks and generalised stochastic Petri nets.

Most used security mechanisms in high-speed networks have been adopted without adequate quantification of their impact on performance degradation. Appropriate quantitative network models may be employed for the evaluation and prediction of ¿optimal¿ performance vs. security trade-offs. Several quantitative models introduced in the literature are based on queueing networks (QNs) and generalised stochastic Petri nets (GSPNs). However, these models do not take into consideration Performance Engineering Principles (PEPs) and the adverse impact of traffic burstiness and security protocols on performance. The contributions of this thesis are based on the development of an effective quantitative methodology for the analysis of arbitrary QN models and GSPNs through discrete-event simulation (DES) and extended applications into performance vs. security trade-offs involving infrastructure and infrastructure-less high-speed networks under bursty traffic conditions. Specifically, investigations are carried out focusing, for illustration purposes, on high-speed network routers subject to Access Control List (ACL) and also Robotic Ad Hoc Networks (RANETs) with Wired Equivalent Privacy (WEP) and Selective Security (SS) protocols, respectively. The Generalised Exponential (GE) distribution is used to model inter-arrival and service times at each node in order to capture the traffic burstiness of the network and predict pessimistic ¿upper bounds¿ of network performance. In the context of a router with ACL mechanism representing an infrastructure network node, performance degradation is caused due to high-speed incoming traffic in conjunction with ACL security computations making the router a bottleneck in the network. To quantify and predict the trade-off of this degradation, the proposed quantitative methodology employs a suitable QN model consisting of two queues connected in a tandem configuration. These queues have single or quad-core CPUs with multiple-classes and correspond to a security processing node and a transmission forwarding node. First-Come-First-Served (FCFS) and Head-of-the-Line (HoL) are the adopted service disciplines together with Complete Buffer Sharing (CBS) and Partial Buffer Sharing (PBS) buffer management schemes. The mean response time and packet loss probability at each queue are employed as typical performance metrics. Numerical experiments are carried out, based on DES, in order to establish a balanced trade-off between security and performance towards the design and development of efficient router architectures under bursty traffic conditions. The proposed methodology is also applied into the evaluation of performance vs. security trade-offs of robotic ad hoc networks (RANETs) with mobility subject to Wired Equivalent Privacy (WEP) and Selective Security (SS) protocols. WEP protocol is engaged to provide confidentiality and integrity to exchanged data amongst robotic nodes of a RANET and thus, to prevent data capturing by unauthorised users. WEP security mechanisms in RANETs, as infrastructure-less networks, are performed at each individual robotic node subject to traffic burstiness as well as nodal mobility. In this context, the proposed quantitative methodology is extended to incorporate an open QN model of a RANET with Gated queues (G-Queues), arbitrary topology and multiple classes of data packets with FCFS and HoL disciplines under bursty arrival traffic flows characterised by an Interrupted Compound Poisson Process (ICPP). SS is included in the Gated-QN (G-QN) model in order to establish an ¿optimal¿ performance vs. security trade-off. For this purpose, PEPs, such as the provision of multiple classes with HoL priorities and the availability of dual CPUs, are complemented by the inclusion of robot¿s mobility, enabling realistic decisions in mitigating the performance of mobile robotic nodes in the presence of security. The mean marginal end-to-end delay was adopted as the performance metric that gives indication on the security improvement. The proposed quantitative methodology is further enhanced by formulating an advanced hybrid framework for capturing ¿optimal¿ performance vs. security trade-offs for each node of a RANET by taking more explicitly into consideration security control and battery life. Specifically, each robotic node is represented by a hybrid Gated GSPN (G-GSPN) and a QN model. In this context, the G-GSPN incorporates bursty multiple class traffic flows, nodal mobility, security processing and control whilst the QN model has, generally, an arbitrary configuration with finite capacity channel queues reflecting ¿intra¿-robot (component-to-component) communication and ¿inter¿-robot transmissions. Two theoretical case studies from the literature are adapted to illustrate the utility of the QN towards modelling ¿intra¿ and ¿inter¿ robot communications. Extensions of the combined performance and security metrics (CPSMs) proposed in the literature are suggested to facilitate investigating and optimising RANET¿s performance vs. security trade-offs. This framework has a promising potential modelling more meaningfully and explicitly the behaviour of security processing and control mechanisms as well as capturing the robot¿s heterogeneity (in terms of the robot architecture and application/task context) in the near future (c.f. [1]. Moreover, this framework should enable testing robot¿s configurations during design and development stages of RANETs as well as modifying and tuning existing configurations of RANETs towards enhanced ¿optimal¿ performance and security trade-offs.Ministry of Higher Education in Libya and the Libyan Cultural Attaché bureau in Londo

Dependability Issues for Intelligent Transmitters and Reliability Pattern Proposal

International audienceNew technologies make way for "intelligent" transmitters by integrating new functionalities: error measurement corrections, self-adjustment, self-diagnosis for measurement and transmitter status, on-line reconfiguration, and digital bidirectional communication. Industrialists are taking advantage of more accurate measurements, cost reductions and facilities. For industrial risk prevention, new dependability issues are arising. Functionalities such as self-diagnosis and digital communication seem to be in favour of control systems availability. On the other hand, the high amount of electronics and programmable units implies new failure causes and modes which are usually not well known. In this paper, dependability issues for intelligent transmitters are discussed and a reliability model is proposed. By using a Goal Tree - Success Tree (GTST) technique, both functional and material aspects of an intelligent transmitter pattern are included. Material-material, material-function, and function-function relationships are then demonstrated in Master Logic Diagrams (MLD). These results are proposed as support for further case studies. For example, the impact of any material failure on any function, and the reliability of the main functions, can be assessed using this kind of model. Other dependability tools can take advantage of this reliability pattern, for example when the behavioural aspects of complex systems are undetermined

Proceedings Work-In-Progress Session of the 13th Real-Time and Embedded Technology and Applications Symposium

The Work-In-Progress session of the 13th IEEE Real-Time and Embedded Technology and Applications Symposium (RTAS\u2707) presents papers describing contributions both to state of the art and state of the practice in the broad field of real-time and embedded systems. The 17 accepted papers were selected from 19 submissions. This proceedings is also available as Washington University in St. Louis Technical Report WUCSE-2007-17, at http://www.cse.seas.wustl.edu/Research/FileDownload.asp?733. Special thanks go to the General Chairs – Steve Goddard and Steve Liu and Program Chairs - Scott Brandt and Frank Mueller for their support and guidance

Entwicklung und Analyse eines Zug-zentrischen Entfernungsmesssystems mittels Colored Petri Nets

Based on the technology trends, the train control system should weaken the proportion of ground facilities, and give trains more individual initiative than in the past. As a result, the safety and flexibility of the train control system can be further improved. In this thesis, an enhanced movement authority system is proposed, which combines advantages of the train-centric communication with current movement authority mechanisms. To obtain the necessary train distance interval data, the onboard equipment and a new train-to-train distance measurement system (TTDMS) are applied as normal and backup strategies, respectively. While different location technologies have been used to collect data for trains, the development and validation of new systems remain challenges. In this thesis, formal approaches are presented for developing and verifying TTDMS. To assist the system development, the Colored Petri nets (CPNs) are used to formalize and evaluate the system structure and its behavior. Based on the CPN model, the system structure is validated. Additionally, a procedure is proposed to generate a Code Architecture from the formal model. The system performance is assessed in detection range and accuracy. Therefore both mathematical simulation and practical measurements validation are implemented. The results indicate that the system is feasible to carry out distance measurements both in metropolitan and railway lines, and the formal approaches are reusable to develop and verify other systems. As the target object, TTDMS is based on a spread-spectrum technology to accomplish distance measurement. The measurement is carried out by applying Time of Arrival (TOA) to calculate the distance between two trains, and requires no synchronized time source of transmission. It can calculate the time difference by using the autocorrelation of Pseudo Random Noise (PRN) code. Different from existing systems in air and maritime transport, this system does not require any other localization unit, except for communication architecture. To guarantee a system can operate as designed, it needs to be validated before its application. Only when system behaviors have been validated other relative performances' evaluations make sense. Based on the unambiguous definition of formal methods, TTDMS can be described much clearer by using formal methods instead of executable codes.Basierend auf technologischen Trends sollte das Zugbeeinflussungssystem den Anteil der Bodenanlagen reduzieren und den Zügen mehr Eigeninitiative geben als in der Vergangenheit, da so die funktionale Sicherheit und die Flexibilität des Zugbeeinflussungssystems erhöht werden können. In dieser Arbeit wird ein verbessertes System vorgeschlagen, das die Vorteile der zugbezogenen Kommunikation mit den aktuellen Fahrbefehlsmechanismen kombiniert. Um die notwendigen Daten des Zugabstandsintervalls zu erhalten, werden die Bordausrüstung und ein neues Zug-zu-Zug-Entfernungsmesssystem (TTDMS) als normale bzw. Backup-Strategien angewendet. Während verschiedene Ortungstechnolgien zur Zugdatenerfassung genutzt wurden, bleibt die Entwicklung und Validierung neuer Systeme eine Herausforderung. In dieser Arbeit werden formale Ansätze zur Entwicklung und Verifikation von TTDMS vorgestellt. Zur Unterstützung der Systementwicklung werden CPNs zur Formalisierung und Bewertung der Systemstruktur und ihres Verhaltens eingesetzt. Basierend auf dem CPN-Modell wird die Systemstruktur validiert. Zusätzlich wird eine Methode vorgeschlagen, mit der eine Code-Architektur aus dem formalen Modell generiert werden kann. Die Systemleistung wird im Erfassungsbereich und in der Genauigkeit beurteilt. Daher werden sowohl eine mathematische Simulation als auch eine praktische Validierung der Messungen implementiert. Die Ergebnisse zeigen, dass das System in der Lage ist, Entfernungsmessungen in Metro- und Eisenbahnlinien durchzuführen. Zudem sind die formalen Ansätze bei der Entwicklung und Verifikation anderer Systeme wiederverwendbar. Die Abstandsmessung mit TTDMS basiert auf einem Frequenzspreizungsverfahren. Die Messung wird durchgeführt, indem die Ankunftszeit angewendet wird, um den Abstand zwischen zwei Zügen zu berechnen. Dieses Verfahren erfordert keine Synchronisierung der Zeitquellen der Übertragung. Der Zeitunterschied kann damit berechnet werden, indem die Autokorrelation des Pseudo-Random-Noise-Codes verwendet wird. Im Unterschied zu Systemen im Luft- und Seeverkehr benötigt dieses System keine andere Lokalisierungseinheit als die Kommunikationsarchitektur. Um zu gewährleisten, dass ein System wie vorgesehen funktioniert, muss es validiert werden. Nur wenn das Systemverhalten validiert wurde, sind Bewertungen anderer relativer Leistungen sinnvoll. Aufgrund ihrer eindeutigen Definition kann das TTDMS mit formalen Methoden klarer beschrieben werden als mit ausführbaren Codes

A Dual-Mode Adaptive MAC Protocol for Process Control in Industrial Wireless Sensor Networks

Doktorgradsavhandling ved Fakultet for teknologi og realfag, Universitetet i Agder, 2017Wireless Sensor Networks (WSNs) consist of sensors and actuators operating together to provide monitoring and control services. These services are used in versatile applications ranging from environmental monitoring t oindustrial automation applications. Industrial Wireless Sensor Network (IWSN) is a sub domain of the WSN domain, focussing the industrial monitoring and automation applications. The IWSN domain differs from the generic WSN domains in terms of its requirements. General IWSN requirements include: energy efficiency and quality of service, and strict requirements are imposed on the quality of service expected by IWSN applications. Quality of service in particular relates to reliability, robustness, and predictability. Medium Access Control (MAC) protocols in an IWSN solution are responsible for managing radio communications, the main consumer of power in every IWSN element. With proper measures, MAC protocols can provide energy efficient solutions along with required quality of service for process control applications. The first goal of the thesis was to assess the possibility of creating a MAC protocol exploiting properties of the application domain, the process control domain. This resulted in the creation of the Dual-Mode Adaptive Medium Access Control Protocol (DMAMAC) which constitutes the main contribution of this thesis. The DMAMAC protocol is energy efficient,while preserving real-time requirements, and is robust to packet failure. This has been guaranteed by the thorough evaluation of the protocol via simulation, verification, and implementation with deployment testing. In parallel, we also investigated the possibility of using an alternative development approach for MAC protocols. Specifically, we have proposed a development approach based on MAC protocol model in CPN tools. The development approach consists of automatic code generation for the MiXiM simulation tool and the TinyOS platform. We used the related GinMAC protocol as a running example for the development approach. The generated code for MiXiM simulation platform and the TinyOS implementation platform are evaluated via simulation and deployment respectively. This results in a faster design to implementation time, and closely related protocol artifacts, improving on the traditional approach